一、编译安装
#给nginx集成echo模块
wget https://github.com/openresty/echo-nginx-module/archive/v0.62.tar.gz
tar -zxvf v0.62.tar.gz
yum -y install gcc gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel --setopt=protected_multilib=false
wget http://nginx.org/download/nginx-1.18.0.tar.gz (建议在下载下来之后先更改源码中nginx版本号及其它敏感信息
解压tar -xzvf nginx-1.8.0.tar.gz
vim src/core/nginx.h (10.0 Microsoft-IIS/)
groupadd www #添加www组
useradd -g www www -s /bin/false #创建nginx运行账户www并加入到www组,不允许www用户直接登录系统
创建目录: mkdir -p /var/cache/nginx/client_temp/ /var/log/nginx/ /usr/local/nginx/tmp/proxy_temp /var/tmp/nginx/fcgi/ /var/tmp/nginx/proxy/
./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --error-log-path=/var/log/nginx/error.log --pid-path=/usr/local/nginx/logs/nginx.pid --lock-path=/var/lock/nginx.lock --user=www --group=www --with-http_ssl_module --with-http_dav_module --with-http_realip_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --add-module=/usr/local/soft/echo-nginx-module-0.62/
make && make install
二、nginx.conf
user root;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
use epoll;
worker_connections 2048;
}
http {
## 这里取得原始用户的IP地址
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
#自定义日志格式
log_format main '$clientRealIp [$time_local] "$request" $status "$http_referer" "$http_user_agent" $ssl_protocol $ssl_cipher $upstream_addr $request_time $upstream_response_time';
#针对原始用户 IP 地址做限制
limit_conn_zone $clientRealIp zone=TotalConnLimitZone:10m;
limit_conn TotalConnLimitZone 5; #限制每个IP只能发起5个并发连接
#每秒处理 10 个请求
limit_req_zone $clientRealIp zone=ConnLimitZone:10m rate=10r/s;
include mime.types;
include gzip.types;
default_type application/octet-stream;
include vhosts/*.conf;
}
二、gzip.types
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
keepalive_timeout 65;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/tmp/proxy_temp;
#gzip模块设置
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2; #压缩等级
#压缩类型,认已包含text/html,所以下面不用再写,写上去也不会有问题,但有一个警
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
三、vhosts/**1.conf
server {
listen 443 ssl;
#证书文件
ssl_certificate /opt/web/ssl/***.com.pem;
#私钥文件
ssl_certificate_key /opt/web/ssl/***.com.key;
server_name ***.com www.***.com *.***.com;
root /opt/web/***.com/;
index default.html index.html index.htm;
#CDN IP 获取
set $Real_IP $http_x_forwarded_for;
#最多 5 个排队, 由于每秒处理 10 个请求 + 5个排队,你一秒最多发送 15 个请求过来,再多就直接返回 503 错误
limit_req zone=ConnLimitZone burst=5 nodelay;
#从系统时间中正则匹配出年月日
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
set $access_date $1-$2-$3;
}
access_log /var/log/nginx/$access_date.access_www.***.com.log main;
error_log /var/log/nginx/error_www.***.com.log warn;
error_page 401 404 /40x.html;
error_page 500 504 /50x.html;
location = /40x.html {
root /usr/local/nginx/html;
}
location = /50x.html {
root /usr/local/nginx/html;
}
if ($host != 'www.***.com') {
rewrite ^/(.*)$ https://www.***.com/$1 permanent;
}
#测试获取当前真实IP
location /realip {
default_type text/plain;
echo $clientRealIp;
}
#忽略js.map文件
rewrite ^/(.*).js.map /resource/js/nullmap.txt permanent;
#解决苹果设备发起的请求
rewrite ^/apple-touch-(.*).png /resource/img/logo-ren.png permanent;
#验证码
location ^~ /auth/vCode {
proxy_pass http://**.*****.com:82;
proxy_set_header X-Real-IP $Real_IP;
}
#统计阅读量
location ^~ /cms/newsdoc/readcount/ {
proxy_pass http://**.*****.com:82;
proxy_set_header X-Real-IP $Real_IP;
}
#执行指定搜索
location ^~ /search/detail/ {
proxy_pass http://**.*****.com:82;
proxy_set_header X-Real-IP $Real_IP;
}
#执行指定搜索(热门搜索)
location ^~ /search/keySearchDetail/ {
proxy_pass http://**.*****.com:82;
proxy_set_header X-Real-IP $Real_IP;
}
location ~ .*\.(js|css|html)$ {
expires 7d;
}
location ~ .*\.(ico|gif|jpg|jpeg|png|bmp)$ {
expires 30d;
}
location ~ ^/(WEB-INF|META-INF)/* {
deny all;
}
}
四、vhosts/**2.conf
server {
listen 443 ssl;
#证书文件
ssl_certificate /opt/web/ssl/*****.com.pem;
#私钥文件
ssl_certificate_key /opt/web/ssl/*****.com.key;
server_name **.*****.com;
root /opt/web/*****.com/;
index default.html index.html index.htm;
access_log /var/log/nginx/access_**.*****.com.log main;
error_log /var/log/nginx/error_**.*****.com.log warn;
error_page 401 404 /40x.html;
error_page 500 504 /50x.html;
location = /40x.html {
root /usr/local/nginx/html;
}
location = /50x.html {
root /usr/local/nginx/html;
}
location ~ .*\.(js|css|html)$ {
expires 7d;
}
location ~ .*\.(ico|gif|jpg|jpeg|png|bmp)$ {
expires 30d;
}
location ^~ /file/ {
root /opt/web/*****.com/;
}
location ^~ /html/ {
root /opt/web/*****.com/;
}
location ^~ /resource/ {
root /opt/web/*****.com/;
}
location ^~ / {
root /opt/web/*****.com/;
index default.html index.html index.htm;
proxy_pass http://**.*****.com:82;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_connect_timeout 600;
client_max_body_size 20M;
}
location ~ ^/(WEB-INF|META-INF)/* {
deny all;
}
}
五、sbin/clearLogs.sh
#!/bin/bash
#find ./ -name “*date*” -mtime +2 当前目录下文件名包含access_www.*****.com.log,而且修改时间在24*10小时以上的
find /var/log/nginx/ -mtime +10 -name "*.access_www.******.com.log" -exec rm -rf {} \;
六、每天定时执行
终端执行:crontab -e
录入:
# 每日01时定时执行清理历史日志文件
00 1 * * * /usr/local/nginx/sbin/clearLogs.sh
